Types of Cyber Attacks, Threats and Fraud

Types of Cyber Attacks, Threats and Fraud explained.

Trojans

Trojans are computer programs that contain malicious or harmful code within.

• It provides attacker with remote control and access to the victims computer.
• It is installed stealthily on the target computer.
• It can be malicious.

Steps to prevent it from loading on your computer / network

• Never execute exes sent over email, chat, IRC, etc.
• Download only from trusted sites.

What Is IP Spoofing?

IP spoofing (or IP address forgery or a host file hijack) is a technique in which the attacker spoofs a Web site (to conceal the true identity) to carry out their nefarious activities.

Criminals/Hackers use various techniques to mask their true identity, and IP spoofing is one of the most common forms of on-line camouflage.

In IP-spoofing, the hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source. So when a visitor types in the URL (Uniform Resource Locator) of a legitimate site, he/she’s basically taken to a fraudulent Web page created by the hijacker.

Attackers typically spoof their IP address by following these steps:

• Identifying a trusted system: Find out which system is trusted by the target system
• Block the real trusted system: So that it does not interfere in the IP spoofing process (usually done with DOS attack)
• Getting the final sequence number and predicting the succeeding ones: This step is needed so that the calculated sequence number matches the target system’s next sequence number.
• Execute the attack
• Put the trusted system out of the spell of the DOS attack

For IP spoofing attack to be successful it is important that the real trusted system does not interfere and interrupt the spoofing process at any time. This is where DOS (Denial-of-service) attacks come into picture.

By using a DOS attack, the attacker ensures that all the memory of the trusted system is used up so that it cannot respond to packets sent by the victim’s system. Once the attacker is sure that the trusted system will not respond, he can continue with the IP spoofing process.

Source address spoofing (inbound traffic)
Here, the incoming network packets arriving at the protected LAN from an outside network will have a source address that is corresponding to the address range of the internal trusted network. This is an obvious sign of an attack and such kinds of packets are easily detected by the security systems.

Source address spoofing (outbound traffic)
This is opposite of the above scenario. Here, a packet originating from the internal LAN will have a source address of an external network. The objective of this is usually to hide the attacker’s actions, which have originated from an internal network.

Preventing IP Spoofing

Web site administrators can minimize the possibility of IP spoofing by implementing hierarchical or one-time passwords and other data encryption/decryption techniques, and implementing firewalls that block outgoing packets with source addresses that differ from the IP address of the user’s computer or internal network.

Password Cracking Attacks

Types of Password Cracking Attacks.

• Password Guessing: Gather as much personal information about the victim and then try out various combinations of different names and numbers.
• Default Passwords: Most applications have built-in default passwords, which are usually disabled by system admins. But there is always a possibility that some default passwords could still be enabled which could be capitalized by the attacker.
• Dictionary-based Attacks: Hit and Trial method where the attacker uses a tool that uses all words which appear in the dictionary, as the victim’s password.
• Brute Force Attacks: Use a tool that tries out all possible combinations of the available keys on the keyboard as the victim’s password.
• Phishing: An email leads the unsuspecting reader to a faked online banking, payment or other site in order to login and capture their passwords.
• Social engineering – Call an office posing as an IT security tech guy or ask for the network access password.
• Shoulder surfing – Here you hack the easiest way, just watch someone enter his password behind his back. 

Phishing

Phishing is one technique that most hackers use to breach bank accounts, by cheating gullible victims.  The success of this technique depends on how well the hacker is able to win the trust of the victim.

Here’s a typical sequence that a hacker attempts:

1. The hacker sends out a mail that looks like an authentic mail originating from legitimate financial institutions, and asks for the victims personal details.
2. The email asks the user to update or verify user information by clicking a link on the mail; the link however is fake and takes the user to a fraudulent site.
3. Once the victim enters the Log-in & password details, the hacker comes in possession of that, which he/she uses to carry out bank transactions.

It is known as Phishing because the technique used is more or less similar to the one used while fishing. While fishing you use a “bait” to catch fish. In phishing, the bait used is typically an email that appears legitimate.

Pharming

Pharming, also referred to as page-hijacking or page-jacking, is when you are redirected to a fake/scam/bogus version of a website, which may look identical to the website you were trying to view.

Pharming is used to obtain access credentials, such as user names and passwords.

For this method to work successfully, the hacker usually requires unprotected access to the target computer, and that is why its easier to alter a customer’s home computer, rather than a corporate business server.

Here are the steps involved in this scam.

Note: Websites are identified on the Internet by their IP addresses, so whenever a user enters the URL name, it gets translated into an IP address via the DNS server on the internet.

• Once the user visits a website for the first time, the DNS entry for that site is usually stored on the computers local cache so that the browser doesn’t have to keep accessing the DNS server for future visits.
• In pharming, a virus attacks the DNS cache and then modifies the entries so that the user is automatically led to a fraudulent site without him/her knowing about it.
• Once there on the bogus site, the user login credentials are captured in the the usual manner.

So basically, the victim is sent to a fraudulent site using a computer virus. And there are several ways in which the virus could land on that computer, including the possibility that it could have originated from a phishing email.

Big ecommerce sites and online banking websites have been particularly wary of Pharming, and have taken sophisticated measures (anti-pharming) to protect against it. To safeguard against these attacks, you need sophisticated anti-pharming measures; just using Antivirus software and spyware removal software cannot provide 100 percent protection against pharming.

Denial-of-Service (DOS) Attacks

Here are the various Types of Denial-of-Service (DOS) Attacks.

DOS Attack

In a Typical DOS attack, there is a single attacker who uses his system or a spoofed address and tries to bring the target system down. The ratio between the number of attackers and the target system is usually 1:1.

Distributed DOS attack

In a Distributed DOS (D-DOS) attack, the attacker first targets a lesser secure decoy network and takes control of all its systems. The attacker then installs d-DOS attack tools/agents on each of these systems. The attacker then uses all these systems to carry out the d-DOS attack on the actual target system.

D-DOS attack is much more powerful and has a higher success rate than a Typical DOS attack.

Land Attacks

Land attacks exploit the fact that certain networks cannot handle certain data packets (having same source/destination address and port numbers).

Hybrid DOS attack

In this method the attacker can combine various types of attacks. For example, a Land attack coupled with a distributed DOS attack can be one way of executing a hybrid DOS attack.

Attackers Launch DDoS Attacks by Hijacking Insecure Surveillance CCTV cameras

Security firm Imperva detected a distributed denial-of-service (DDoS) attack caused by overloading a resource on a cloud service, but the malicious requests came from surveillance cameras, instead of a typical computer botnet.

Researchers found that one of the CCTV cameras was infected with a variant of a known malware program designed for ARM versions of Linux that’s known as Bashlite, Lightaidra or GayFgt.

Read full story here….

Adware Tracking Cookie

An adware tracking cookie is an adware that is downloaded to you computer with the intention of monitoring your online activities.

While a Spyware spies on you secretly and collects your personal information, an Adware also does the same but you can see all sort of unwanted popup ads on your screen.

When you see the word cookie, it simply means files will be downloaded to your computer to track certain things. Not all of them are bad and most software will tell you that they use cookies when you are about to install the program.

But the problem with most Adware tracking cookies is that they are malicious and are downloaded to your computer without your knowledge. These find their way to your computer when you visit certain websites, and their main intention is to track your online activities and report it back to their creators.

Slows Down Your Computer
Another big problem that you will start noticing is that your computer slows down, obviously because the tracking cookies are running overtime. You may also notice that even when you are not online, you will still see pop-up advertisements which can be quite annoying when you’re doing some important work.

How to Remove Adware Tracking Cookie?
You can apply the normal settings for your browser which states whether your computer can accept cookies or not. This is an easy way to remove any adware tracking cookie. That’s a very useful feature on most browsers!

Adware Removal Software Program
Ideally the privacy settings should take care of most annoying adware tracking cookies, but if that still doesn’t solve the problem then you may have to get an Adware / Spyware removal program. There are free anti-adware software programs available on the internet that you can download to remove adware tracking cookie.

USB Hacking

USB Hacking is a method by which the attacker uses a USB drive to execute programs that are stored on it. The applications stored can be made to Autorun.

Attackers can use this technique to get access to the username and password of the target computer (although an auto-hacking USB DRIVE can also be helpful in recovering passwords.)

Here’s how you can prevent USB Hacking.

• You can disable USB port on your computer
• You can Turn-OFF Autoplay

 

Buffer Overflow Attack

A buffer is a temporary area for data storage. When more data gets placed by a program, the extra data overflows into other buffers and can corrupt or overwrite data they were holding.

In a buffer-overflow attack, hackers can use the extra data to hold specific instructions that could damage files, change data or unveil private information.

There are two types of buffer overflows: stack-based and heap-based.

Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input
Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program.

Steps to prevent Buffer Overflows:

1. Follow Secure Coding Tips
2. Prevent execution of malicious commands
3. Array Bounds Checking
4. Installing latest Patches
5. Hardware based solution “SmashGuard”
6. Address Obfuscation

Fabrication Attack

Fabrication is a type of attack in which the attacker inserts forged objects into the system, without the sender’s knowledge or involvement.

So basically, the user has know knowledge that his system has been compromised! It involves Unauthorized creation, modification, and deletion of information, information systems and network elements.

A Fabrication attack is also known as counterfeiting or accountability attack.

Fabrication can be further categorized in to two types, which are as follows:

• Replaying: When a previously intercepted entity is inserted, this process is called replaying. For example, replaying an authentication message.
• Masquerading: When the attacker pretends to be the legitimate source and inserts his/her desired information, the attack is called masquerading. For example, adding new records to a file or database.

Input Validation attacks

In Input Validation attacks, an attacker intentionally provides unusual inputs to exploit the loopholes present in the application. These attacks can be dangerous and are quite easy to implement (do not require any tool or programming experience).

Most input validation attacks occur due to poor programming practices in the application. Applications that do not validate the inputs properly are vulnerable to Input Validation Attacks.

More common input validation attacks are as follows:

Buffer Overflow
Buffer overflow is due to bad programming or mismanagement of memory by the application developers. To execute a buffer overflow attack, attacker inputs a very long data, or a huge data in the input field.

SQL Injection
This kind of attack occurs when an attacker uses specially crafted SQL queries as an input, which can cause the database to give results when none is expected. Online forms such as login prompts, search enquiries, guest books, feedback forms, etc. are specially targeted to perform SQL Injection.

Cross-site Scripting (XSS)
Cross-site scripting attacks place malicious code, usually JavaScript, in locations where other users can see it. Target fields in forms can be addresses, bulletin board comments, etc.

Canonicalization
These attacks target pages that use template files or otherwise reference alternate files on the web server. The aim is to move outside of the web document root in order to access system files.

Steps to guard against Input Validation Attacks.

• Proper input validation tests should be done for each application before making the application Live. Identify & remove the input validation loopholes during the development stages, as far as possible.
• Take care of the following in the programming code of the application:
  Filter out all special characters from user input
  Check for the content & length of the input
  Restricted user and file access should be implemented in all kinds of application environments

 

Bluejacking

BlueJacking is a term used to refer to the sending of unsolicited messages over Bluetooth to other Bluetooth equipped devices such as mobile phones, laptops, printers, cars, and Personal Data Assistants (PDAs), usually within a range of 10 meters. It allows phone users to send business cards anonymously to one another using Bluetooth technology.

Bluejacking does NOT involve any altercations to your phone’s data. These business cards usually consist of some clever message or joke. Bluejackers are simply looking for a reaction from the recipient.

The person sending the messages doesn’t have any control over your phone so it is technically harmless, however it can be quite confusing for the person on the receiving end when they receive anonymous messages.

It is also used for unsolicited advertising.

Bluejacking is possible because Bluetooth technology is open to receiving communications within the device’s effective range in the 2.4 GHz frequency band. If a device is Bluetooth enabled, it can send or receive Bluejacking messages. 

Bluejacking can be done by following these steps:

• Create a new address book contact on the “Sender” Bluetooth phone, and enter the anonymous message to be sent in the Name field of the address book.
• Scan for the victim mobile phones (known as Discovery). A list will be displayed of all the Bluetooth-enabled devices within 10 metres.
• Send the new address book contact that you created to the victim, by choosing the name from the displayed list. The victim will receive your anonymous message.

What it is Not?

• Bluejacking does NOT involve any altercations to the victim’s data stored in the mobile phone.
• The person sending the messages doesn’t have any control over the victim’s phone, and it cannot cause permanent damage to a mobile phone.
• It is more of an irritant to the victim.

Counter-Measure

To ignore bluejackers, simply reject the business card, or if you want to avoid them entirely, set your phone to non-discoverable mode.

BlueSnarfing

Bluesnarfing means getting access to the data stored on a Bluetooth enabled phone, using Bluetooth wireless technology, and without alerting the user of the connection made to the device.

A hacker could access phonebook and associated images, calendar, and even the IMEI (International Mobile Equipment Identity). An attacker can read messages and even delete them, could play ringtones, videos, could carry out a phone call, set call forwarding options.

Challenges associated with Bluesnarfing :

• By setting the device as non-discoverable, it does become significantly more difficult to find and attack a mobile device.
• Without specialized equipment the hacker must be within a 10 meter range of the device while running a device with specialized software.
• Only specific older Bluetooth enabled phones are susceptible to Bluesnarfing.

Other Countermeasures
It is observed that if your phone is in non-discoverable mode, it becomes significantly more difficult for hackers to bluesnarf your phone.

More countermeasures to prevent a Bluesnarf Attack.

1. If you suspect that your phone is vulnerable to bluesnarfing or bluebugging, contact the manufacturer-authorized dealer
2. Use software patches that are available for many older Bluetooth phones
3. Turn the device to non-discoverable mode when not using Bluetooth technology
4. Never pair with unknown devices or in public places
5. If possible, use an eight character or more alphanumeric PIN

 

Blue Bug attack

Blue Bug is basically a bluetooth security loophole on some bluetooth-enabled cell phones.

It is possible for a hacker to exploit this loophole which will allow him/her the unauthorized downloading of phone books and call lists, the sending and reading of SMS messages from the attacked phone and many more things.

Bluebuggers also have bluesnarf capability, so they can read phonebooks and calendars and more. They can even read a phone’s call list to see who their victims called or who called them. They can even alter those lists.

A Blue Bug attack allows attackers to gain complete control over the data, voice and messaging channels of vulnerable target mobile phones.

A bluebugger can wirelessly direct a phone to make calls without the owner’s knowledge, after which the phone works as a bugging device, picking up conversations in the phone’s immediate area.

Similarly, a bluebugger can set call forwarding and then receive calls intended for the bluebug victim.

Dumpster Diving

Dumpster Diving is the method where attackers go through the target company’s trash, looking for sensitive data in any form possible.

Since an organization’s trash can contain anything from notes, memos, research formulas, presentation slides, plans, there is a high probability to find important information from the trash, unless the trash is disposed properly.

• Notepads lying around containing important numbers and passwords
• Printouts of Performance appraisal documents found in bin
• Computer name, XP-Id and password scribbled on one of the pages of the notepad
• Printouts of bank details scattered near the desk of the victim. Near the printer area, printouts of Passport, PAN were lying uncollected, Form 16A papers were not kept in the drawer once the victim left for the day, Printouts of Salary Slips were thrown in the dust bin
• Important Policy documents left in the meeting room.

Using this technique, any important information that is retrieved in this manner could be used to carry out an attack on the computer network.

Depending on the industry in which your company operates and the sensitivity of the data, it could make sense to have a disposal policy in place to prevent dumpster divers from getting hold of something valuable.

Most companies that implement such policies usually require all paper, including print-outs, to be shredded in a cross-cut shredder before being recycled, any type of storage media to be erased. The policy requires all the staff to undergo training on how to deal with trash.

Shoulder Surfing

Here’s what an attacker is usually trying to do when performing Shoulder Surfing.

The attacker steals sensitive information that is displayed on the screen by looking over the shoulder of the victim.

The attacker pretends to be on a company tour or drops by the victim’s desk under some pretext and steals data by remembering whatever is displayed on the screen or is being typed.

Its also used for spying on the user of a cash-dispensing machine or other electronic device to get their personal identification number, password, etc.

Social engineering Attacks

Social engineering is the technique of influencing people (it’s more of a security attack) into performing actions or revealing confidential information, without the use of any technical tool or system.

Types of Social Engineering Attacks

• Impersonation: The social engineer pretends to be someone else and tries to get sensitive information.
• Intimidation: The social engineer pretends to be someone in power or close to someone in power and tries to get sensitive information.
• Real Life Social Engineering: The attacker physically enters the company premises and tries to retrieve information.
• Fake Prompts: Send a fake login prompt to the victim and ask him to enter important numbers and passwords

Social engineering attacks that are commonly carried out on unknowing victims.

• Trying to find out the victims password by pretending to be a technical person trying to fix some urgent and important technical difficulties.
• Pretend to be someone close to the boss or from the company’s headquarters and use fear and intimidation to get sensitive information from the victim.
• Enter the target company by disguising yourself as a cleaner, driver, employee, or guest and then try to get sensitive information.
• Send an email to the victim directing him to a fake login prompt, which should look exactly similar to his online bank account login screen. Try to capture his login details using this technique.

Difference between Intimidation and Impersonation

• In Intimidation, the attacker pretends to be someone close to the boss or from the headquarters (basically in a position of power) so that the victim will be pressurized to reveal sensitive information (out of fear of displeasing the big bosses).
• In Impersonation, the attacker pretends to be someone else within the corporation like the technical helpdesk, system administrator and so on. Using a lot of technical jargon, the attacker tries to get sensitive information from the victim by pretending to fix something that is important, urgent and professional to the victim.

Here’s an example of how a social engineering attack is carried out. Kindly note that this is only for illustration purpose.

A (Attacker): Hi, This is Mr. Jake, Commissioner Income Tax department. May I know whom am I talking to?
V (Victim): This is Ruth here. How may I help you?

A: I need some details from you on an urgent basis and I request you to fully cooperate with us. We need the bank account details of Mr. Anderson, who seems to have deposited huge sums of money in his bank account through illegal means.
V (Victim): But sorry sir, we are not authorized to provide this information.

A: As I said we’re investigating this case. We have intelligence information saying that Mr Anderson is going to use the money for terrorist activities. We expect full cooperation from your bank and we have permission from Mr Balmer (CEO of your bank) to do the investigation.
V: But Sir…

A: Hey Listen! Any more wastage of my time and I will charge you with obstructing the investigation of this case. Don’t compel me to send my men to your office to interrogate you as well in this matter.
V: Ok. Hold on…I will get you the details…The account number of Mr Anderson is 97788.

A: **Abuses** and bangs the phone down.

SEO Poisoning

In SEO poisoning attack, legitimate websites are targeted (so that they are demoted or even blacklisted by search engines) to improve the SEO of other web pages.

To keep track of pages on the Internet, search engines use automated web scanners, called crawlers or spiders. Their purpose is to find every possible Web page on the net, read its content, and then index it for future user searches.

Attackers often try to exploit this feature in order to trick a search engine into associating a malicious Web page with very common search terms. This attack will cause the malicious Web page to appear among the search results in the search engine’s results page, massively increasing the chances of users visiting it.

This specific attack is not limited to HTML-based Web pages, but it also affects image searches. This shows that the attack can be effective in increasing the common user’s exposure to such malicious websites.

Fortunately, we have observed that the search engines are quick to react to these sites when they are discovered, and the attack is blocked quickly.

Despite the width of exposure, the attack relies on social engineering and still needs a user to acknowledge the results, download, and run an executable. Once again, good sense is the best prevention: do not run anything that you do not trust, especially from sources who claim you are infected with numerous Trojans. 

If you are in doubt, search for more information or only install software from legitimate companies that you know and trust. Web-masters and Site owners are advised to update their passwords and analyze logs to determine all possible entry points for an attacker, including vulnerable CMS packages like WordPress or Joomla.

Experts Believe Cyber Security is Now a Political Issue

The general public is now realizing that (which probably most governments had realized long before) the Internet is slowly turning into a medium with its own marketplaces and battlefields. And probably that is the reason most governments want its streets policed and its businesses regulated, just like any city or country.

The Internet has grown into the world’s chosen medium for almost all daily interaction. Retailers are witnessing billions of dollars of Internet sales every year. On the other hand, Governments, are training cyber-warriors to carry out attacks on foreign computers while protecting those at home.

That’s why its more imporant than ever before, that policy-makers work together to come up with workable solutions & mechanisms to deal with ever increasing online threats & cyber-attacks, some of which can easily put countries at loggerheads against each other.

Cyber security in todays world is undoubtedly a political issue. What makes it so is that governments and politicians at large recognise national interest is heavily impacted by the influence of cyber – now generally used to refer to all automated or computerised systems, in terms of both hardware and software – because cyber is the horizontal element that underpins economic life.

With globalisation enabled by transport technology, communications technology and global markets, and cyber used so widely within the economy and our personal lives, its reach extends deep into the political landscape. All of which means that it has a direct impact on public interest and therefore attracts political attention.

Today, cyber breaches hit large corporations as well as small firms, with these attacks often criminally inspired. In some cases, governments may even be the actual perpetrators, of politically motivated attacks, sometimes resorting to hiring criminal gangs where they do not have the ‘in-house skills’ or simply don’t want the attribution themselves.

A Government’s primary responsibility here is to look at ways in which it can deliver the right regulatory protections, while also creating the economic conditions that allow technology to foster.

So there should be more supporting of start-ups, greater investment in educational resources and more funding for research and development to promote and attract innovation.

Security agencies of most countries are realizing the fact that cyber warfare is emerging as the top threat to national security, with most of them being subjected to frequent attacks from domestic saboteurs and foreign rivals. The long term plan is to focus on capacity building by introducing specialized cyber security related courses in colleges, and encourage certification of IT security practitioners. Countries are also planning to promote cyber security awareness among general public through mutual collaboration.

symantec.com

Estonia Demonstrates How to Fight A Cyber War

Estonia might be a small country but they have shown that they can think fast & act equally fast. Today, Estonia has become a global leader in cyber defence, but it was not the case until a few years back.

So what prompted the change?

First Wave of Attacks

Back in April 2007, when the new government in Estonia (which joined the EU and Nato after breaking away from the Soviet Union) decided to move a Soviet-era war memorial to a location outside the capital city of Talinn, pro-Soviet elements came out on the streets to protest.

What probably the government didn’t expect was that the cyber attacks would start next. The attacks did happen, and in a matter of a few hours, the cyber-attackers had brought down the country’s banks, newspapers, and all government sites, virtually bringing the country to a standstill, and making the authorities red-faced.

Estonia Prepares for Cyber War

The government was quick to acknowledge that a cyber threat can indeed became a real national security threat. Aaviksoo, who was the defence minister then and responsible for moving the statue (Bronze Soldier of Talinn), devised a national strategy to make the country capable of fighting cyber attack.

And few years later, they seem to have succeeded in achieve their objective.

Becoming a Global Leader

Today, Estonia (birthplace of Skype) is a global leader in cyber defense, cyber awareness and cyber education; and also the first country to have a full fledged e-governance infrastructure.

• Courses on cryptography and cyber-security are taught in schools and colleges.
• Students in the age group 5-to-15 years learn to write computer code, as part of a nationwide campaign, to make the next generation ready to take on cyber-attacks

Lessons Learnt

Here are some of the lessons learnt by Estonia in cyber-warfare, which can be useful to any other country.

1. The traditional ‘command and control structures’ needs to be destroyed, because ‘Cyber attacks happen in seconds. You have no time for an emergency cabinet meeting.’
2. The problem of cyber-attacks cannot be completely tackled by any country alone. It needs ‘help, cooperation, & trust’ of other countries and societies. However, this cannot be achieved by imposing any law; a better approach is to have a more horizontal agreement among government, private sector, & civil society. Public awareness and education is imperative because they are usually the first to face an attack (not the officials) and you have to behave responsibly on what you do next.
3. Cyberspace is not a threat as such, so one has to understand the interests and motivations behind an attack. Also, its almost impossible to bring down a nation using cyberspace, although one can create a lot of chaos and possibly destabilize a country. For example, rumors can spread thick-and-fast in this new-age war, and so the responses also have to be in the same medium – instant, and not top-down.